What were you trying to do that didn't work?

On RHEL 9.8, after upgrading FreeIPA server packages from:
ipa-server-4.12.2-14.el9_6.6 }}to {{ipa-server-4.13.0-1.el9
}}the {{ipa-server-upgrade command completes successfully, but a subsequent
ipactl restart fails because the ipa-dnskeysyncd service does not start. The failure correlates with an SELinux AVC denial involving restorecon attempting to relabel the file softhsm_pin, which is labeled with ipa_dnskey_t. This prevents proper startup of DNS key synchronization services.
This issue is reproducible during automated FreeIPA upgrade testing on RHEL 9.8.

Please provide the package NVR for which the bug is seen:

ipa-server-4.13.0-1.el9

How reproducible is this bug?:

With Latest build  ipa-server-4.13.0-1.el9 everytime.
 

Steps to reproduce

• Install RHEL 9.8 system

• Install FreeIPA server:
  ipa-server-4.12.2-14.el9_6.6
• Configure IPA server (DNS enabled)

• Upgrade FreeIPA packages to:
  ipa-server-4.13.0-1.el9
• Run:
  ipa-server-upgrade
• Restart IPA services:
  ipactl restart

Expected results

• ipactl restart should succeed after a successful ipa-server-upgrade

• No SELinux AVC denials should block IPA service startup

• ipa-dnskeysyncd service should start cleanly

Actual results

• ipa-server-upgrade reports success:
   
  INFO The ipa-server-upgrade command was successful

• ipactl restart fails:
   
  {{Failed to start ipa-dnskeysyncd Service
  Aborting ipactl}}

{{}}

• SELinux denies relabeling of softhsm_pin:
   
  {{avc: denied { relabelto } for comm="restorecon"name="softhsm_pin"tcontext=unconfined_u:object_r:ipa_dnskey_t:s0
  tclass=file
  permissive=0}}